CVE-2025-6691
BaseFortify
Publication date: 2025-07-09
Last updated on: 2025-07-11
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| brainstormforce | sureforms | From 0.0.2 (inc) to 0.0.14 (exc) |
| brainstormforce | sureforms | From 1.0.0 (inc) to 1.0.7 (exc) |
| brainstormforce | sureforms | From 1.1.0 (inc) to 1.1.2 (exc) |
| brainstormforce | sureforms | From 1.2.0 (inc) to 1.2.5 (exc) |
| brainstormforce | sureforms | From 1.3.0 (inc) to 1.3.2 (exc) |
| brainstormforce | sureforms | From 1.4.0 (inc) to 1.4.5 (exc) |
| brainstormforce | sureforms | From 1.6.0 (inc) to 1.6.5 (exc) |
| brainstormforce | sureforms | From 1.7.0 (inc) to 1.7.4 (exc) |
| brainstormforce | sureforms | 1.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
| CWE-610 | The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the SureForms β Drag and Drop Form Builder for WordPress plugin, where an insufficient file path validation in the delete_entry_files() function allows unauthenticated attackers to delete arbitrary files on the server. This can lead to serious consequences such as remote code execution if critical files like wp-config.php are deleted.
How can this vulnerability impact me? :
The vulnerability can allow attackers to delete important files on your server without authentication. This can disrupt your website's functionality and potentially allow attackers to execute remote code, leading to full compromise of your WordPress site and server.